graphify-integration
Fail
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's installation section explicitly directs the user to run
pip install graphifyy. The double-y suffix in the package name is a common pattern for typosquatting attacks targeting developers who intended to install a legitimate tool named "graphify".\n- [REMOTE_CODE_EXECUTION]: By instructing the installation and execution of a potentially malicious package (graphifyy), the skill risks executing arbitrary code on the user's system during thepip installor the subsequentgraphify build .command.\n- [COMMAND_EXECUTION]: The skill documentation encourages the execution of several shell commands, including package installation, a tool-specific build command, and multiple subcommands via a local Node.js script (cavekit-tools.cjs).
Recommendations
- AI detected serious security threats
Audit Metadata